Compliance
Last updated: June 1, 2026. XYBIT's regulatory compliance programme covering FIU-IND, KYC, AML, and tax obligations.
XYBIT Technologies Private Limited ("XYBIT") operates as a compliant Virtual Digital Asset (VDA) exchange in India. Our compliance programme is built to meet and exceed the requirements set by Indian regulators, including the Financial Intelligence Unit – India (FIU-IND), the Income Tax Department, and applicable provisions of the Prevention of Money Laundering Act, 2002 (PMLA). We are committed to operating with full transparency and regulatory integrity.
XYBIT is registered with FIU-IND as a reporting entity for Virtual Digital Assets under the PMLA. This registration mandates compliance with KYC norms, transaction monitoring, suspicious transaction reporting (STR), and maintenance of required records.
A designated Principal Officer is responsible for overseeing all regulatory reporting, liaising with FIU-IND, and ensuring the timely and accurate submission of Cash Transaction Reports (CTRs) and Suspicious Transaction Reports (STRs).
All users are required to complete full KYC before accessing trading, deposit, or withdrawal features. We collect PAN, Aadhaar-based eKYC or government-issued photo ID, and proof of address for higher-tier accounts.
Customers are classified into Low, Medium, and High risk categories based on transaction patterns, geographic risk, PEP (Politically Exposed Person) status, and source of funds. Enhanced Due Diligence (EDD) is applied to High-risk accounts.
All transactions are monitored in real time using rule-based and AI-driven detection models. Alerts are generated for unusual transaction volumes, structuring patterns, rapid fund movements, and wallet addresses linked to known illicit activity.
XYBIT screens all users and counterparty wallet addresses against global sanctions lists including the UN Security Council Consolidated List, OFAC SDN list, EU consolidated list, and Indian designations under UAPA.
In accordance with Section 194S of the Income Tax Act, 1961, XYBIT deducts TDS at the prescribed rate on every VDA transfer executed on the platform. TDS certificates are made available to users on a quarterly basis.
Gains from VDA transactions are taxable under the head "Income from Virtual Digital Assets" at the flat rate specified under Section 115BBH. XYBIT provides users with annual transaction summaries and P&L reports to assist in accurate income tax filing.
GST is applied on XYBIT platform fees as per applicable rates. Tax invoices are generated for every chargeable transaction and are available in your account statement.
XYBIT maintains strict data security controls to protect personally identifiable information (PII) and financial data. All data is encrypted at rest and in transit. Access to customer data is restricted to authorised personnel on a need-to-know basis.
KYC records, transaction records, and compliance filings are retained for a minimum of five years as required under PMLA Rules. Upon account closure, data is retained for the statutory minimum period before secure deletion.
Customer data may be disclosed to regulatory authorities, law enforcement agencies, and courts in accordance with applicable Indian law. XYBIT will not share data with third parties for commercial purposes without user consent.
XYBIT has an internal Compliance Committee comprising senior management, the Principal Officer, and legal counsel. The committee meets quarterly to review the effectiveness of the compliance programme and approve updates to policies and procedures.
All employees receive mandatory compliance training upon joining and annually thereafter. Training covers AML/CFT obligations, data protection, sanctions compliance, and internal reporting procedures.
XYBIT engages independent third-party auditors annually to review the effectiveness of compliance controls. Audit findings are reported to the Board and remediation actions are tracked to closure.
For compliance-related enquiries, please contact our Compliance team at compliance@xybit.in. Regulators and law enforcement agencies may contact us at the same address or via our registered office.